The following documents are considered herein:
[non-patent document 1] TPM Main, Part 1 DesignPrinciples, Specification Version 1.2, October 2003,Internet <URL: http://www.trustedcomputinggroup.org>[non-patent document 2] TPM Main, Part 2 TPMStructures, Specification Version 1.2, October 2003,Internet <URL: http://www.trustedcomputinggroup.org>[non-patent document 3] TPM Main, Part 3 Commands,Specification Version 1.2, October 2003, Internet<URL:http: //www.trustedcomputinggroup.org>[non-patent document 4] TCG Software Stack (TSS),Specification, Version 1.1, August 2003, Internet <URL:http: //www.trustedcomputinggroup. org>[non-patent document 5] TCG PC Specific,Implementation Specification, Version 1.1, August 2003,Internet <URL: http://www.trustedcomputinggroup.org>
The specification issued by TCG (Trusted Computing Group), which is an industry working group of a legal entity whose aim is to improve security of computers, defines a hardware component equipped with an anti-tamper capability. The hardware component can provide prevention against unauthorized readout and tampering of confidential data (non-patent documents 1 to 5). This component is a security chip referred to as Trusted Platform Module (abbreviated as TPM hereinafter) and can provide various security services relating to a computing platform. The TPM module has already been installed in a plurality of personal computers, and is becoming involved in other platforms including servers and mobile devices.
As one of the services provided by TPM module there is a service which is referred to as attestation in the TCG terminology. In this service a computer measures the configuration of hardware and software, and reports precise values of a measurement to a third party as reliable information. This information is valuable to an individual who needs to know the reliability of the platform used in a service provider.
The measurement results of the configuration by a TPM module are stored in a platform configuration register (abbreviated as PCR register hereinafter) inside of the TPM module as PCR values. With a request of attestation, the TPM module generates a digital signature of PCR values, and returns both the PCR values and the digital signature to the requester. With the return, the requester can acquire rather accurate and reliable information about attributes on the platform, with an assumption that the requester will share a certain degree of confidence in the TPM module.
There are not many PCR registers equipped in a TPM module. In the TCG specification it is specified that there should be 16 PCR registers as a minimum number. However, most of the registers have been reserved for some specifically dedicated purposes. Therefore, in order to register some new information added on the previous value, a specific process called PCR extension is adopted to renew the register in record mode for a PCR value of each PCR register. This process is indicated in the following equation.NewPCRj Value=HASH(OldPCRj value∥Additional Value)  [Equation 1]
Here, the suffix “j” is an index identifying each PCR register. In other words, when each register is extended with a new additional value, the new PCR value is a cryptographic hash value of concatenation of the Old PCR value and an additional value. During a boot sequence the platform continuously executes extension operations for each register using a hash value of the software component executed sequentially as an additional value. All through this time period, the platform records the log information about extension operations.
However, the detailed information on configuration which is registered in the PCR registers as described hereinbefore is very much useful for attackers. Using the information, the attackers know immediately what kind of attack tools would be useful for the platform and what would be the time when the platform altered the configuration.